In order to boost digital transformation and foster the development of the national digital sector, promoting Cloud technologies has been made as a cornerstone of the new national strategy. This strategy seeks to prioritize the use of Cloud and encourage administrations, public institutions, companies, and other economic actors to adopt this technology when outsourcing their information systems.

This strategic choice is supported by numerous advantages and opportunities offered by Cloud technology. With its transformative impact, Cloud enables flexible access to computing resources, reduces infrastructure costs, allows rapid scalability, facilitates remote collaboration, and provides value-added services such as data backup, analytics, and security.

Transition to cloud will undoubtedly compel entities and critical infrastructure to consider selection and arbitration criteria for cloud services, based on specificities and sensitivity of their information systems, and to adopt appropriate approaches to managing security risks.

To this end, the General Directorate for Information Systems Security (DGSSI), under the High Royal Instructions, has developed a decree to regulate use of Cloud services by entities and critical infrastructures managing sensitive information systems. This decree establishes a qualification framework for Cloud service providers.

Entities and critical infrastructures, under the provisions of Law 05-20 and its implementing decree, are required to take the necessary measures to protect their informational assets and information systems based on their sensitivity levels, in compliance with the guidelines and standards issued by DGSSI. Additionally, Article 25 of the aforementioned law mandates that these entities should use services, products, or solutions defined by the national authority to enhance their security functions.

In line with these requirements, the decree establishes a qualification framework for cloud service providers and sets forth guidelines for their selection when handling sensitive information systems and data, as defined by Law 05-20.

From a cybersecurity perspective, this framework aims to ensure that contracting authorities can rely on providers with proven expertise, robust technical and organizational security measures, and a high level of trustworthiness.

The qualification framework is structured on two levels. When responsible entities and critical infrastructure rely on cloud services to host, manage, or partially or fully operate their sensitive information systems, they must use Level 1-qualified providers. These providers must be established as Moroccan legal entities and must deploy all their operating and administrative systems within the national territory.

The objective of this first qualification level is to enable our country to exercise jurisdiction, particularly in cybersecurity matters, and to oversee activities of cloud providers handling sensitive information systems.

The second level of qualification introduces additional legal and technical conditions. This level is mandatory when handling, managing, or storing sensitive data as defined by Law 05-20. The aim is to ensure that sensitive data, due to its confidentiality, is processed on infrastructures controlled by entities exclusively subject to national legislation.

Given the current maturity level of national cloud ecosystem and recognizing that the market's capability to meet all requirements will evolve over time, a transitional measure has been implemented. This measure allows critical entities and infrastructures to use non-qualified providers when no national Cloud service option is available. In accordance with the approval process specified in the cybersecurity law, the adoption of Cloud solutions must be authorized by the highest authority within the entity or critical infrastructure. This decision should be guided by an impact assessment that considers both operational and legal aspects, along with a risk analysis to determine the effects of using cloud services on system security and, when relevant, the confidentiality of sensitive data.